How Are Hackers Exploiting NFC Feature?

Normally, when a person sends an app via NFC, a prompt appears on your device asking for permission to install the app from an unknown source.

In January this year, a security researcher named Y. Shafranovich found out that if you sent an app to someone via NFC beaming on Android devices running Android 8 (Oreo) or above — no notification appears and users can install the app with just a tap. It does not explicitly asks users whether they want to install the app from an unknown source.

Google, generally, displays a security warning when you try to install an app that is not downloaded from the Google Play Store. However, it has whitelisted certain services like the Dropbox Android app and Google Chrome to install an app without displaying the security notification.

The bug, which has now been patched by Google in its October 2019 Android updates, arises due to the fact that Google whitelisted the NFC Beaming feature. If you receive an APK file via NFC beaming on your Android device, it will be installed without a warning and the app could bundle a malicious malware.

One of the reasons why this bug should be taken seriously by users is that in most of the new Android devices, the NFC feature is enabled by default and you wouldn’t even know if the feature is on your smartphone right now.

According to Google, the NFC beaming feature was intended to send apps, it was designed to share data like images, videos, and files between two Android devices.

How To Protect Yourself From Android NFC Beaming Bug?

Google has now patched the bug by removing the NFC Beaming feature from its list of whitelisted apps. To be on the safer side, you can turn off the NFC and Android Beam features on your smartphone. We recommend our users to update your Android smartphone if you haven’t yet.

However, the NFC feature works only when you hold two devices in very close proximity (4cm or 1.5 inches). Therefore, if an attacker needs to plant malware in your Android device, he needs to bring his phone really close to your device and you can always be aware of it.

Anmol is a tech journalist who handles reportage of cybersecurity and Apple and OnePlus devices at Fossbytes. He's an ambivert who is striving hard to appease existential crisis by eating, writing, and scrolling through memes.